capistrano-unicorn-nginx 4.2.0 → 5.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/capistrano/tasks/nginx.rake +13 -4
- data/lib/capistrano/unicorn_nginx/version.rb +1 -1
- data/lib/generators/capistrano/unicorn_nginx/templates/_default_server_directive.erb +4 -22
- data/lib/generators/capistrano/unicorn_nginx/templates/nginx_conf.erb +1 -7
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0fa877d749e83b2c34f3b32afe592b02e64c5e2a
|
4
|
+
data.tar.gz: 548a8d063c482223211352b23f9448abc49346c8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5b74ee7655764aa5b1b377fd780d62c6e08ad9a4f3b21cd1c224a81b64d114aaeaaf58c490e09fda1faca0de4f7727a55d5af2eda137449c1e147ab8b226bb19
|
7
|
+
data.tar.gz: e05853236f43bb5d13b33604f5cffc6b8dfc31af551ecc1e4c18cbb9b7d4071428cb0a9757bf8fd45487594b298af1c4eadfc2b83fdc1d002e25adbcf9143ae4
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,11 @@
|
|
2
2
|
|
3
3
|
### master
|
4
4
|
|
5
|
+
### v5.0.0, 2018-02-08
|
6
|
+
- Remove `nginx_pass_ssl_client_cert` in favor of nginx_use_client_ssl
|
7
|
+
- Add `nginx_server_ssl_ports` to specify which ports nginx should listen on
|
8
|
+
- Remove `nginx_use_spdy`. Use `nginx_use_http2` instead.
|
9
|
+
|
5
10
|
### v4.2.0, 2018-02-08
|
6
11
|
- Add support for client authentication using a root CA. Inspired by
|
7
12
|
http://www.pandurang-waghulde.com/2014/06/client-side-ssl-certificate.html
|
@@ -14,10 +14,19 @@ namespace :load do
|
|
14
14
|
# ssl options
|
15
15
|
set :nginx_location, '/etc/nginx'
|
16
16
|
set :nginx_use_ssl, false
|
17
|
-
set :nginx_use_spdy, false
|
18
17
|
set :nginx_use_http2, false
|
19
|
-
# if true,
|
20
|
-
|
18
|
+
# if true, verifies the client certificate, and passes a number of variables
|
19
|
+
# in the header to the application server consumption in Ruby code. These
|
20
|
+
# are:
|
21
|
+
# - X-Client-DN: the Distinguished Name of the certificate
|
22
|
+
# - X-Client-Serial: the Serial Number of the certificate
|
23
|
+
# - X-Client-Verify:
|
24
|
+
# - SUCCESS if a certificate was supplied that was signed by the CA.
|
25
|
+
# - FAILED if a certificate was supplied that was not signed by the CA.
|
26
|
+
# - NONE if no certificate was supplied
|
27
|
+
# - X-Client-Raw-Cert: the raw (PEM) version of the supplied certificate
|
28
|
+
set :nginx_use_client_ssl, false
|
29
|
+
set :nginx_ssl_client_ca, '' # the location of the root CA (on server)
|
21
30
|
set :nginx_ssl_cert, -> { nginx_default_ssl_cert_file_name }
|
22
31
|
set :nginx_ssl_cert_key, -> { nginx_default_ssl_cert_key_file_name }
|
23
32
|
set :nginx_ssl_cert_path, -> { nginx_default_ssl_cert_file_path }
|
@@ -33,11 +42,11 @@ namespace :load do
|
|
33
42
|
end
|
34
43
|
|
35
44
|
namespace :nginx do
|
36
|
-
|
37
45
|
task :defaults do
|
38
46
|
on roles :web do
|
39
47
|
set :nginx_server_name, fetch(:nginx_server_name, host.to_s)
|
40
48
|
set :nginx_server_port, fetch(:nginx_server_port, 80)
|
49
|
+
set :nginx_server_ssl_ports, fetch(:nginx_server_ssl_ports, [443])
|
41
50
|
end
|
42
51
|
end
|
43
52
|
|
@@ -1,24 +1,14 @@
|
|
1
|
-
<% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
|
2
|
-
# source: http://forum.nginx.org/read.php?2,236546,236596
|
3
|
-
map $ssl_client_raw_cert $a {
|
4
|
-
"~^(-.*-\n)(?<1st>[^\n]+)\n((?<b>[^\n]+)\n)?((?<c>[^\n]+)\n)?((?<d>[^\n]+)\n)?((?<e>[^\n]+)\n)?((?<f>[^\n]+)\n)?((?<g>[^\n]+)\n)?((?<h>[^\n]+)\n)?((?<i>[^\n]+)\n)?((?<j>[^\n]+)\n)?((?<k>[^\n]+)\n)?((?<l>[^\n]+)\n)?((?<m>[^\n]+)\n)?((?<n>[^\n]+)\n)?((?<o>[^\n]+)\n)?((?<p>[^\n]+)\n)?((?<q>[^\n]+)\n)?((?<r>[^\n]+)\n)?((?<s>[^\n]+)\n)?((?<t>[^\n]+)\n)?((?<v>[^\n]+)\n)?((?<u>[^\n]+)\n)?((?<w>[^\n]+)\n)?((?<x>[^\n]+)\n)?((?<y>[^\n]+)\n)?((?<z>[^\n]+)\n)?(-.*-)$" $1st;
|
5
|
-
}
|
6
|
-
<% end -%>
|
7
|
-
|
8
1
|
server {
|
9
2
|
<% if fetch(:nginx_use_ssl) -%>
|
10
|
-
<%
|
11
|
-
|
12
|
-
<% elsif fetch(:nginx_use_spdy) -%>
|
13
|
-
listen <%= ssl_port %> spdy;
|
14
|
-
<% else -%>
|
15
|
-
listen <%= ssl_port %>;
|
3
|
+
<% fetch(:nginx_server_ssl_ports).each do |port| -%>
|
4
|
+
listen <%= port %> <%= 'http2' if fetch(:nginx_use_http2)-%>;
|
16
5
|
<% end -%>
|
17
6
|
ssl on;
|
18
7
|
ssl_certificate <%= nginx_ssl_cert_file %>;
|
19
8
|
ssl_certificate_key <%= nginx_ssl_cert_key_file %>;
|
20
9
|
<% if fetch(:nginx_use_client_ssl) -%>
|
21
10
|
ssl_trusted_certificate <%= nginx_ssl_client_ca %>;
|
11
|
+
ssl_verify_client optional_no_ca;
|
22
12
|
<% end -%>
|
23
13
|
|
24
14
|
ssl_session_cache shared:SSL:10m;
|
@@ -38,10 +28,6 @@ server {
|
|
38
28
|
|
39
29
|
add_header X-Content-Type-Options nosniff;
|
40
30
|
|
41
|
-
<% if fetch(:nginx_use_ssl) && (nginx_pass_ssl_client_cert || fetch(:nginx_use_client_ssl)) -%>
|
42
|
-
ssl_verify_client optional_no_ca;
|
43
|
-
<% end -%>
|
44
|
-
|
45
31
|
client_max_body_size 4G;
|
46
32
|
keepalive_timeout 10;
|
47
33
|
|
@@ -66,11 +52,7 @@ server {
|
|
66
52
|
proxy_set_header X-Client-Dn $ssl_client_s_dn;
|
67
53
|
proxy_set_header X-Client-Serial $ssl_client_serial;
|
68
54
|
proxy_set_header X-Client-Verify $ssl_client_verify;
|
69
|
-
|
70
|
-
|
71
|
-
<% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
|
72
|
-
# source: http://forum.nginx.org/read.php?2,236546,236596
|
73
|
-
proxy_set_header X-Client-Cert $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$v$u$w$x$y$z;
|
55
|
+
proxy_set_header X-Client-Raw-Cert $ssl_client_raw_cert;
|
74
56
|
<% end -%>
|
75
57
|
|
76
58
|
proxy_pass http://unicorn_<%= fetch(:nginx_config_name) %>;
|
@@ -16,10 +16,4 @@ server {
|
|
16
16
|
}
|
17
17
|
<% end -%>
|
18
18
|
|
19
|
-
|
20
|
-
<%= template_to_s("_default_server_directive.erb", ssl_port: 443, nginx_pass_ssl_client_cert: false).to_s %>
|
21
|
-
|
22
|
-
<% if fetch(:nginx_pass_ssl_client_cert) -%>
|
23
|
-
<%# render the server directive with SSL client certificate authentication enabled on port 444 %>
|
24
|
-
<%= template_to_s("_default_server_directive.erb", ssl_port: 444, nginx_pass_ssl_client_cert: true).to_s %>
|
25
|
-
<% end -%>
|
19
|
+
<%= template_to_s("_default_server_directive.erb").to_s %>
|